Over-the-Air Root Risk: Seven Critical FreeBSD Security Advisories Fix Wi-Fi RCE and Kernel Flaws

The FreeBSD Project has issued a sweeping set of seven security advisories resolving highly critical vulnerabilities nested within the platform’s core operating system modules.

The collective flaws range from kernel-level memory corruption primitives to an unexpected over-the-air remote code execution (RCE) vector. Because several of these vulnerabilities allow unprivileged local users or remote physical actors to achieve full root-level control, administrators are strongly urged to coordinate emergency patch routines immediately.

Over-the-Air Danger: Wi-Fi Scanner RCE (CVE-2026-45255)

The most surprising and operationally urgent advisory in this bundle addresses a critical input expansion vulnerability within bsdinstall and bsdconfig, the system’s interactive setup utilities.

When administrators prompt the OS to scan for nearby Wi-Fi endpoints, the underlying shell script processes the returned beacon names using bsddialog(1). However, the script failed to safely escape these network strings. As the FreeBSD advisory notes:

“The code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.”

This grants physical attackers within radio range the power to execute arbitrary code as root. Worryingly, systems are “vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.”

Core Kernel Failures: Setcred and Descriptor Handshakes

Two major vulnerabilities hit the kernel interface boundary, allowing local privilege escalation to superuser status:

• Stack Overflow via setcred(2) (CVE-2026-45250): Designed to let privileged utilities atomically modify a process context, the setcred(2) system call copies user-supplied supplementary groups into a fixed-size kernel stack buffer before checking caller rights. Because it skips initial length validation, an unprivileged user can intentionally trigger a stack buffer overflow to execute arbitrary code directly in the kernel context.
• Kernel Use-After-Free via File Descriptors (CVE-2026-45251): When a thread blocks inside a select(2) or poll(2) call, closing the targeted file descriptor can cause the underlying object to be freed. For certain descriptor architectures, the kernel “failed to unlink blocked threads from the object before freeing it,” leaving threads to access freed memory upon waking up.

Sandboxing Breaches: Libcasper, Cap_net, and FUSE Modules

The remainder of the patch cycle reinforces FreeBSD’s specialized Capsicum sandboxing and filesystem layers:

• FUSE Extended Attributes (CVE-2026-45252): The fusefs module passes FUSE_LISTXATTR messages to userspace daemons. The kernel module calls strlen() on returned strings without validating NUL-termination, allowing malicious mount daemons to leak kernel heap memory or inject data into unallocated spaces.
• Libcasper Stack Overflow (CVE-2026-39461): The helper proxy libcasper(3) fails to verify that its UNIX socket descriptors fit within the FD_SETSIZE limit of 1024. This allows attackers to trigger stack corruption and escalate privileges via SetUID root binaries.
• Cap_net Permission Leak (CVE-2026-45254): The sandboxed capability broker libcap_net contains a logic failure where keys omitted from a modified limit configuration are mistakenly treated as “allow any,” allowing applications to broaden their network boundaries rather than narrowing them.
• Ptrace Missing Validation (CVE-2026-45253): The debugging utility ptrace(PT_SC_REMOTE) failed to sanitize parameters for meta-system calls, letting debuggers trigger kernel code execution.

Remediation Mandate

There are no known workarounds for the majority of these flaws. Administrators must update their deployments via binary sets (freebsd-update fetch install), base system packages (pkg upgrade -r FreeBSD-base), or official source code patches, followed by a full system reboot.